z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Copying a certificate without its private key

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

To copy a certificate to a different platform or to a different system without its private key (certificate validation), from the Key Management Menu or the Token Management Menu, select 1 - Manage keys and certificates to display the Key and Certificate List or the Token Key and Certificate List respectively. Find the label of the certificate to be copied and enter the number associated with the label. In the Key and Certificate Menu or the Token Key and Certificate Menu, enter option 6 to export the certificate to a file. The Export File Format menu appears:

Figure 1. Copying a Certificate Without its Private Key
                                                                     
       Export File Format                                            
                                                                     
   1 - Binary ASN.1 DER                                              
   2 - Base64 ASN.1 DER                                              
   3 - Binary PKCS #7                                                
   4 - Base64 PKCS #7                                                
                                                                     
Select export format (press ENTER to return to menu): 1 <enter>             
Enter export file name (press ENTER to return to menu): expfile.der <enter>     
                                                                     
Certificate exported.                                                
                                                                     
Press ENTER to continue.                                             
 ===>                                                                
                                                                     

You are then prompted for what file format you would like for the exported certificate information.

The file format is determined by the support on the receiving system. When the receiving system implementation is z/OS® System SSL V1R2 or earlier, the selected format must be one of the ASN.1 DER formats.

After selecting the export format, you will be asked for a file name. You can now transfer this file to the system and import the certificate. If copying to a remote system, this file can now be transferred (in binary if option 1 or 3 has been selected or in ASCII (TEXT) if option 2 or 4 has been selected) to the remote system. For information about receiving the certificate into the key database file or z/OS PKCS #11 token, see Importing a certificate from a file as a trusted CA certificate). Upon successfully receiving the certificate, the certificate can now be used to validate the SSL's partner certificate. This means that a client with the imported certificate can now validate the servers certificate, while a server with the imported certificate can validate the clients certificate when client authentication is requested.

You must also determine if the certificate should be marked as the default certificate. Setting the certificate as the default certificate allows the certificate to be used by the SSL APIs without having to specify its label. For more information about setting the default certificate, see Marking a certificate (and private key) as the default certificate.

Go to the previous page Go to the next page




Copyright IBM Corporation 1990, 2014